The Plethora Of BC Standards

As a follow-up to my blog post yesterday, there’s another area that’s worth noting in the resurgence of interest in BC preparedness, and that’s standards. For a long time, we’ve had a multitude of both industry and government standards on BCM management including Australian Standards BCP Guidelines, Singapore Standard for Business Continuity / Disaster Recovery Service Providers (which became much of the foundation for ISO 24762 IT Disaster Recovery), FFIEC BCP Handbook, NIST Contingency Planning Guide, NFPA 1600, BS 25999 (which will become much of the foundation for the soon to be released ISO 22301), ISO 27031, etc. There are also standards in other domains that touch on BC, security standards like ISO 27001/27002.

And when you come down to it, several of the broad risk management standards like ISO 31000 are applicable. At the end of the day, the same risk management disciplines underpin BC, DR, security and enterprise risk management. You conduct a BIA, risk assessment, then either accept, transfer or mitigate the risk, develop contingency plans, and make sure to keep the plans up to date and tested.

In my most recent research into various BCM software vendors and BC consultancies, as well as input from Forrester clients, BS 25999 seems to be the standard with the most interest and adoption. In the US at least, part of this I attribute to the fact that BS 25999 is now one of the recognized standards for US Department of Homeland Security’s Voluntary Private Sector Preparedness Accreditation and Certification Program. The other standards are NFPA 1600 and ASIS SPC.1-2009. I’ve heard very few Forrester clients mention the latter as their standard.

What do you think? Is BS 25999 the standard that your org has selected? Which of the standards do you prefer? Would you like to see a matrix of all the industry standards?


Federal vs. Private industry standards

Yes, it would be nice to see a crosswalk between the government and private sectors. NIST has done some very good work on this already but does not take into account different missions or corporate functions.

I agree with you on the

I agree with you on the standards. The sheer number of standards hinders there overall success in implementation. BS25999 seems to be most "referenced" during conversations. Part of the problem with the standards is that they all are saying essentially the same things. Some are more balanced than others -- as it relates to business versus technology. In addition, some simply don't address much needed areas of focus. The sooner we get to a single accepted standard the better off the discipline of business continuity (resilience) will be.